Regulatory guidance sets out fundamental expectations. It’s important for the day to day management and exam standpoint that these pillars are in place and functioning in your institution. Learn more about these pillars.
Hi I'm Branan Cooper, I’m the Chief Risk Officer here at Venminder. And welcome to Third Party Thursday. Today we're going to focus on the Pillars of Third Party Risk Management.
The regulatory guidance is fairly consistent on the broad pillars of sound third party risk management practices. Fortunately, each area of the guidance pretty much agrees with one other in terms of what the basic pillars are. The pillars are very much interrelated and have a lot of overlap in terms of what activities are required.
It generally starts with selecting a vendor. This needs to be a formalized process and needs to be included in your third party risk management program, so that you have a process for both approving and going through the appropriate steps of doing so.
It then goes into risk assessment. Risk assessment is identifying all the potential risks of doing business with a particular third party. Interwined with that are the necessary steps of due diligence documentation. In gathering due diligence documentation, you need to make sure it well informs your risk assessment process, again there's quite a lof of overlap between the two.
Once you've completed that, and ideally have done all of this prior to signing the contract. What you've learned through the risk assessment process will then lead to the ongoing monitoring activities. Ongoing monitoring really is a term that needs some attention because it needs to be tailored to the type of risk associated with that third party and the particular product or service they are performing.
Coupled with all of this is the need to keep your senior management team well-informed through a series of regular reports on each area of third party risk management.
And then finally, contract management. Ideally, it is a very centralized process that all works hand in hand. With requirements in the contract in terms of additional items you may want to see from the due diligence perspective, address particular concerns raised in the risk assessment and then, finally, activities like service level agreements that you'll want to see from an ongoing monitoring standpoint.
All of these together form a well-managed third party risk program. That's our show for today, I look forward to seeing you for our next Third Party Thursday.